Public-sector tech that survives audit.
The hard part isn’t the tooling; it’s the evidence. ASD Essential Eight, IRAP, NIST 800-53, the SSDF + SLSA expectations from US federal — each is checkable when the substrate is encoded, theatre when it isn’t. The AU AI Safety Standard adds another layer most teams aren’t ready for.
The regulatory floor — government
- ASD Essential Eight · Maturity Level 2 is the practical floor; ML3 the audit aspiration
- IRAP · Information Security Registered Assessors Programme for OFFICIAL/PROTECTED workloads
- AU AI Safety Standard · voluntary today, mandated trajectory
- NIST SP 800-53 + 800-218 (SSDF) · the US-federal floor (also: CISA Secure Software Attestation)
- SLSA v1.0 · the provenance level your vendors need to evidence
- NIST AI RMF · the GenAI vocabulary your AI Safety conversation rides on
Run first.
The two diagnostics that surface the most government-specific exposure. Each takes 2–4 minutes; results are shareable via URL hash; nothing is stored.
Reference architectures.
Opinionated paved-paths sized for government constraints — data residency, audit, supply-chain attestation, change-control.
Regulated GenAI Platform
Sovereign-deployable, prompt-registry, per-decision audit, evals-gated deploys. Suited for AU AI Safety + IRAP environments.
Open →Reference architectureDevSecOps SLSA L3+ Paved Path
Build provenance, signed images, OPA admission. Maps to E8 ML2 application-control + patching capabilities cleanly.
Open →Reference architecturePlatform Engineering IDP
The substrate that makes E8 controls inherited-by-default instead of remembered-per-team.
Open →Where government teams typically get stuck.
The most-common Tier 2 stuck-points in this sector, with the three substrate moves to the next tier.
DevSecOps — Repeatable
Where most agencies sit. Three substrate moves to Defined: workload identity, SBOM-to-owner loop, policy-as-code at admission.
Open →Stuck tierPlatform Engineering — Emerging
The platform exists; it’s not yet adopted. Three moves: survey 10 developers, inherit observability defaults, move from ticket-driven to product-driven.
Open →Stuck tierEA — Consultative
Architecture-by-PDF. Encode top-3 principles, federate, tie capability investment to outcomes.
Open →Read next.
The essays and reference content that go furthest in government conversations.
AU AI Safety Standard decoded
The 10 guardrails translated into engineering work — the gap between ‘voluntary’ today and the mandate trajectory.
Open →EssayDevSecOps is supply-chain
Why provenance + signing + SBOMs are now the conversation; CISA Secure Software Attestation as the forcing function.
Open →EssayThe encoded enterprise architect
From PDF principles to policy-as-code. The case for treating architecture as a property of the substrate.
Open →Common anti-patterns in government.
The named failure modes that show up most across government engagements. The catalogue has all 15; these four are the ones that recur here.
Vault Theatre
E8 ML2 application-control + privileged-access controls are the audit triggers; static creds in a vault don’t close them.
Open →Anti-patternSBOM Shelfware
SSDF/SLSA evidence demands the loop, not just the artefact.
Open →Anti-patternPDF Principles
The architecture-document-in-the-shared-drive that never enters the deploy path.
Open →Anti-patternEval Set That Never Runs
The AU AI Safety guardrail-6 (testing) becomes theatre without it.
Open →Working on this in Government & Public Sector?
If you’re preparing for IRAP, hardening against the Essential Eight, or standing up the first agency GenAI use-case under the AI Safety Standard — I work with internal teams to ship the substrate that turns audit from event into property.
How I work → contact@hellouchit.com →